20/68 Wednesday, January 15, 2025
The Cybersecurity and Infrastructure Security Agency (CISA) has added new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. One of the vulnerabilities is CVE-2024-12686, an OS Command Injection vulnerability with a CVSS severity score of 6.6, found in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). This vulnerability allows hackers with administrative privileges to upload malicious files and execute operating system commands.
Another newly added vulnerability is CVE-2023-48365, an HTTP Tunneling vulnerability in Qlik Sense, which carries a CVSS severity score of 9.6. This vulnerability enables attackers to escalate privileges and send unauthorized HTTP requests to the backend server, posing a significant risk of unauthorized access to critical system data.
To mitigate the risks associated with these vulnerabilities, agencies under the Federal Civilian Executive Branch (FCEB) are required to patch the vulnerabilities within the specified timeline. CISA has set the deadline for remediation to February 3, 2025, to prevent exploitation and ensure prompt action in addressing these security flaws.
